fix(dashboard): fix auth routing - reactive state, beforeLoad guard, post-login nav

[aaight]

Summary

• Replace non-reactive window.location.pathname with useRouterState().location.pathname so RootLayout re-renders correctly on client-side navigation
• Add beforeLoad guard on the root route that calls ensureQueryData for auth check, throwing redirect({ to: '/login' }) on failure — eliminates the post-paint useEffect redirect and blank-screen flash
• Remove the useEffect auth redirect and the if (meQuery.isError) return null block from RootLayout — beforeLoad handles this before the component renders
• Add pendingComponent to root route so a loading state is shown during async beforeLoad
• Set retry: false on auth.me query to eliminate the ~2-second retry delay on 401 responses
• Fix post-login navigation in login.tsx: use invalidateQueries (not refetchQueries) then navigate({ to: '/', replace: true }) — the beforeLoad guard's ensureQueryData call will refetch the now-stale query, guaranteeing fresh auth state before layout renders; replace: true prevents the back button returning to the login page

Test plan

• Clear cookies, visit / — login page appears immediately (no blank screen)
• Log in — sidebar + header visible immediately without reload
• Reload page after login — sidebar/header still present
• Sign out — redirected to login page immediately
• Back button after login does not return to login page (replace: true)
• All existing tests pass (npm test -- --run)
• Lint passes (npm run lint)
• Type checks pass (npx tsc --noEmit in web/)

Trello card: https://trello.com/c/cgjDU9rz/89-theres-some-weird-issue-with-dashboard-when-opening-it-for-the-first-time-it-does-not-show-the-login-screen-it-shows-only-after

🤖 Generated with Claude Code

[nhopeatall]

🔍 Reviewing PR...

[nhopeatall]

LGTM — solid fix for the auth routing flash. The beforeLoad guard with ensureQueryData is the correct TanStack Router pattern for route-level auth gating, eliminating the post-paint blank screen.

Key things I verified:

1. invalidateQueries → ensureQueryData handshake: Login invalidates the cache (marks stale), then navigate triggers beforeLoad which calls ensureQueryData — since the data is stale, it refetches. This correctly guarantees fresh auth state before layout renders.

2. replace: true prevents back-button-to-login — correct.

3. retry: false on both beforeLoad and the useQuery call — consistent and eliminates the ~2s retry delay on 401s. The default retry: 1 from query-client.ts would otherwise kick in.

4. Reactive pathname: useRouterState().location.pathname correctly re-renders on client-side navigation, fixing the stale window.location.pathname.

5. Logout flow (header.tsx): queryClient.clear() + navigate({ to: '/login' }) → beforeLoad early-returns for /login path → no redirect loop. Works correctly.

6. Mid-session token expiry: With the meQuery.isError block removed, an expired token during an active session would show the layout with undefined user data rather than redirecting. This is acceptable because (a) session cookies have 30-day expiry making this unlikely, (b) OrgProvider, Sidebar, and Header all handle undefined user data gracefully, and (c) the next navigation would trigger beforeLoad and redirect to login. The old behavior of return null (blank screen) was worse.